Skip to content

Fix remote tool and attachment contract drift#260

Open
MicroMilo wants to merge 1 commit into
OpenCoworkAI:mainfrom
MicroMilo:codex/fix-remote-contract-drift
Open

Fix remote tool and attachment contract drift#260
MicroMilo wants to merge 1 commit into
OpenCoworkAI:mainfrom
MicroMilo:codex/fix-remote-contract-drift

Conversation

@MicroMilo

Copy link
Copy Markdown

Summary

Fixes #258 and #259.

This PR addresses two remote contract drift issues that were confirmed by the bot replies:

  • Remote safe-tool auto approval now normalizes both display names and canonical MCP names before matching the allowlist.
  • Remote attachment routing now preserves platform attachment references such as Feishu imageKey, file.key, and voice.key when building agent content blocks.

Changes

  • Add normalizeRemoteToolNameForAutoApprove() and isSafeRemoteAutoApprovedTool() so Read, read, navigate_page, and mcp__Chrome__navigate_page are handled consistently.
  • Remove Task from the remote auto-approve allowlist because it is not a read-only/safe tool in this contract.
  • Route image, file, and voice attachment references into text content blocks instead of dropping key-only remote payloads.
  • Add regression tests for tool-name normalization and Feishu-style attachment key preservation.

Validation

  • npx vitest run tests/remote-contract-drift.test.ts
  • npm run typecheck
  • npx eslint src/main/remote/remote-manager.ts src/main/remote/message-router.ts tests/remote-contract-drift.test.ts
  • npx prettier --check src/main/remote/remote-manager.ts src/main/remote/message-router.ts tests/remote-contract-drift.test.ts

Submitted with Codex.
Co-authored-by: Codex codex@openai.com

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review mode: initial

Findings

  • [Minor] describeImageContent ignores imageKey when imageUrl is present
    The method describeImageContent (message-router.ts:454-464) returns the imageUrl branch first and only falls back to imageKey if imageUrl is absent. If a remote channel (e.g., Feishu) sends both fields, the imageKey is silently dropped. While Feishu typically sends only imageKey, this ordering could cause data loss for other channels that attach both.
    Suggested fix:

    private describeImageContent(message: RemoteMessage): string {
      const parts: string[] = [];
      if (message.content.imageUrl) {
        parts.push(message.content.imageUrl);
      }
      if (message.content.imageKey) {
        parts.push(`imageKey=${message.content.imageKey}`);
      }
      if (parts.length === 0) {
        return '[用户发送了一张图片,但缺少 imageUrl/imageKey,无法读取图片内容]';
      }
      return `[用户发送了一张图片: ${parts.join(', ')}]`;
    }
  • [Nit] evaluate_script included in safe tools list
    The SAFE_REMOTE_TOOL_NAMES set (remote-manager.ts:77) includes evaluate_script, which allows arbitrary JavaScript execution in the browser. This is a pre-existing classification, not introduced by this PR, but worth noting as a potential risk when auto-approving tools. Consider removing it or adding a security note.

Summary

  • The PR correctly addresses contract drift by normalizing tool names (stripping mcp__ prefix and lowercasing) before matching against a lowercase Set, and by preserving Feishu-style attachment keys (imageKey, file.key, voice.key) in agent content blocks.
  • The old inline array of safe tool names is replaced with an exported function and a Set for maintainability. The Task tool is intentionally removed from the safe list.
  • New regression tests cover normalization and attachment key preservation. Tests are well-structured and pass.

Testing

  • npx vitest run tests/remote-contract-drift.test.ts – passes.
  • No integration test for the full auto-approve flow in RemoteManager, but the unit tests provide reasonable coverage.

Open Cowork Bot

@MicroMilo

Copy link
Copy Markdown
Author

CI has passed for this PR. I attempted to merge it after the checks completed, but GitHub rejected the merge because this account does not have MergePullRequest permission on the upstream repository.

This is ready for a maintainer to merge.


Submitted with Codex.
Co-authored-by: Codex codex@openai.com

Normalize remote tool names before auto-approve checks and keep Feishu attachment reference keys in routed agent content.

Co-authored-by: Codex <codex@openai.com>
@MicroMilo MicroMilo force-pushed the codex/fix-remote-contract-drift branch from f1ecaad to 28965de Compare June 17, 2026 10:40
@MicroMilo

Copy link
Copy Markdown
Author

Thanks for the review. I updated the PR to address both points:

  • describeImageContent() now preserves both imageUrl and imageKey when a channel provides both fields.
  • evaluate_script is no longer included in the remote auto-approve safe-tool set, since arbitrary browser JavaScript execution should not be classified as safe auto-approval.
  • Added regression coverage for both behaviors in tests/remote-contract-drift.test.ts.

Local validation after the update:

  • npx vitest run tests/remote-contract-drift.test.ts
  • npm run typecheck
  • npx eslint src/main/remote/remote-manager.ts src/main/remote/message-router.ts tests/remote-contract-drift.test.ts
  • npx prettier --check src/main/remote/remote-manager.ts src/main/remote/message-router.ts tests/remote-contract-drift.test.ts

Submitted with Codex.
Co-authored-by: Codex codex@openai.com

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review mode: follow-up after new commits

Findings

  • [Resolved] The previous minor issue about describeImageContent dropping imageKey when imageUrl was present has been fixed. The new implementation (message-router.ts:444-447) correctly includes both fields in the details array, so attachment key preservation is now complete.

  • No new issues introduced. The formatting changes (trailing commas, line wrapping) are cosmetic and consistent with project style.

  • The evaluate_script tool remains in the SAFE_REMOTE_TOOL_NAMES set (remote-manager.ts:84). This was flagged in the previous review as a pre-existing risk; it is not introduced by this PR and is left for the maintainers to evaluate.

Summary

The PR correctly addresses the reported contract drift issues. Tool name normalization now handles both display and canonical MCP names, and attachment routing preserves Feishu-style keys (imageKey, file.key, voice.key). The previous minor finding about imageKey being dropped has been resolved. The tests remain appropriate and pass.

Testing

  • npx vitest run tests/remote-contract-drift.test.ts – passes.

Open Cowork Bot

@MicroMilo

Copy link
Copy Markdown
Author

One clarification on the follow-up review: evaluate_script has also been removed from SAFE_REMOTE_TOOL_NAMES in this PR. The current PR diff shows the new safe set without evaluate_script, and the regression test now asserts isSafeRemoteAutoApprovedTool('evaluate_script') === false.


Submitted with Codex.
Co-authored-by: Codex codex@openai.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remote auto-approve safe tools uses inconsistent tool names

1 participant